The Identity Layer

Wendy Grossman discusses the dilemma users face in displaying their information to companies online.

Image: 'Identity' by comzeradd @flickr.com: CC BY-SA 2.0 licence

This week, the UK government announced a scheme – Midata – under which consumers will be able to reclaim their personal information. The same day, the Centre for the Study of Financial Innovation assembled a group of experts to ask what the business model for online identification should be. And: whatever that model is, what the the government's role should be (For background, here's the previous such discussion).

My eventual thought was that the government's role should be to set standards; it might or might not also be an identity services provider. The government's inclination now is to push this job to the private  sector. That leaves the question of how to serve those who are not commercially interesting; at the CSFI meeting the Post Office seemed the obvious contender for both pragmatic and historical reasons.

As Mike Bracken writes in the Government Digital Service blog posting linked above, the notion of private identity providers is not new. But what he seems to assume is that what's needed is federated identity – that is, in Wikipedia's definition, a means for linking a person's electronic identity and attributes across multiple distinct systems. What I meant is a system in which one may have many limited identities that are sufficiently interoperable that you can make a choice which to use at the point of entry to a given system. We already have something like this on many blogs, where commenters may be offered a choice of logging in via Google, OpenID, or simply posting a name and URL.

The government gateway circa Year 2000 offered a choice: getting an identity certificate required payment of £50 to, if I remember correctly, Experian or Equifax, or other companies whose interest in preserving personal privacy is hard to credit. The CSFI meeting also mentioned tScheme – an industry consortium to provide trust services. Outside of relatively small niches it's made little impact. Similarly, fifteen years ago, the government intended, as part of implementing key escrow for strong cryptography, to create a network of trusted third parties that it would license and, by implication, control. The intention was that the TTPs should be folks that everyone trusts – like banks. Hilarious, we said *then*. Moving on.

In between then and now, the government also mooted a completely centralized identity scheme – that is, the late, unlamented ID card. Meanwhile, we've seen the growth a set of competing American/global businesses who all would like to be *the* consumer identity gateway and who managed to steal first-mover advantage from existing financial institutions. Facebook, Google, and Paypal are the three most obvious. Microsoft had hopes, perhaps too early, when in 1999 it created Passport (now Windows Live ID). More recently, it was the home for Kim Cameron's efforts to reshape online identity via the company's now-cancelled CardSpace, and Brendon Lynch's adoption of U-Prove, based on Stefan Brands' technology. U-Prove is now being piloted in various EU-wide projects. There are probably lots of other organizations that would like to get in on such a scheme, if only because of the data and linkages a federated system would grant them. Credit card companies, for example. Some combination of mobile phone manufacturers, mobile network operators, and telcos. Various medical outfits, perhaps.

An identity layer that gives fair and reasonable access to a variety of players who jointly provide competition and consumer choice seems like a reasonable goal. But it's not clear that this is what either the UK's distastefully spelled "Midata" or the US's NSTIC (which attracted similar concerns when first announced, has in mind. What "federated identity" sounds like is the convenience of "single sign-on", which is great if you're working in a company and need to use dozens of legacy systems. When you're talking about identity verification for every type of transaction you do in your entire life, however, a single gateway is a single point of failure and, as Stephan Engberg, founder of the Danish company Priway, has often said, a single point of control. It’s the Facebook cross-all-the-streams approach, embedded everywhere. Engberg points to a discussion paper) inspired by two workshops he facilitated for the Danish National IT and Telecom Agency (NITA) in late 2010 that covers many of these issues.

Engberg, who describes himself as a "purist" when it comes to individual sovereignty, says the only valid privacy-protecting approach is to ensure that each time you go online on each device you start a new session that is completely isolated from all previous sessions and then have the choice of sharing whatever information you want in the transaction at hand. The EU's LinkSmart project, which Engberg was part of, created middleware to do precisely that. As sensors and RFID chips spread along with IPv6, which can give each of them its own IP address, linkages across all parts of our lives will become easier and easier, he argues.

We've seen often enough that people will choose convenience over complexity. What we don't know is what kind of technology will emerge to help us in this case. The devil, as so often, will be in the details.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.
their personal information</a>. The same day, the Centre for the Study
of Financial Innovation assembled a group of experts to <a
href="http://digitaldebateblogs.typepad.com/idm/2011/10/seventh-roundtable-in-the-series-on-identity-and-financial-services-1.html">ask
what the business model for online identification should be</a>. And:
whatever that model is, what the the government's role should be. (For
background, here's the <a
href="http://www.pelicancrossing.net/netwars/2011/09/trust_exercise.html">previous
such discussion</a>.)</p>

<p>My eventual thought was that the government's role should be to set
standards; it might or might not also be an identity services provider.
The government's inclination now is to push this job to the <a
href="http://www.guardian.co.uk/government-computing-network/2011/nov/01/information-assurance-government-policy">private
sector</a>. That leaves the question of how to serve those who are not
commercially interesting; at the CSFI meeting the Post Office seemed the
obvious contender for both pragmatic and historical reasons.</p>

<p>As <a
href="http://www.theinquirer.net/inquirer/news/399/1051399/guardian-tech-guru-away">Mike
Bracken</a> writes in the Government Digital Service blog posting linked
above, the notion of private identity providers is not new. But what he
seems to assume is that what's needed is federated identity – that is,
in <a
href="https://en.wikipedia.org/wiki/Federated_identity">Wikipedia's
definition</a>, a means for linking a person's electronic identity and
attributes across multiple distinct systems. What I meant is a system in
which one may have many limited identities that are sufficiently
interoperable that you can make a choice which to use at the point of
entry to a given system. We already have something like this on many
blogs, where commenters may be offered a choice of logging in via
Google, OpenID, or simply posting a name and URL.</p>

<p>The government gateway circa Year 2000 offered a choice: getting an
identity certificate required payment of £50 to, if I remember
correctly, Experian or Equifax, or other companies whose interest in
preserving personal privacy is hard to credit. The CSFI meeting also
mentioned <a href="http://www.tscheme.org/">tScheme</a> - an industry
consortium to provide trust services. Outside of relatively small niches
it's made little impact. Similarly, fifteen years ago, the government
intended, as part of implementing key escrow for strong cryptography, to
<a href="http://www.cyber-rights.org/crypto/ukdtirep.htm">create a
network of trusted third parties</a> that it would license and, by
implication, control. The intention was that the TTPs should be folks
that everyone trusts – like banks. Hilarious, we said *then*. Moving on.</p>

<p>In between then and now, the government also mooted a completely
centralized identity scheme – that is, the late, <a
href="http://www.newswireless.net/index.cfm/article/8473">unlamented ID
card</a>. Meanwhile, we've seen the growth a set of competing
American/global businesses who all would like to be *the* consumer
identity gateway and who managed to steal first-mover advantage from
existing financial institutions. Facebook, Google, and Paypal are the
three most obvious. Microsoft had hopes, perhaps too early, when in 1999
it created <a href="http://passport.net">Passport </a> (now Windows Live
ID). More recently, it was the home for <a
href="http://www.theinquirer.net/default.aspx?article=39662">Kim
Cameron</a>'s efforts to reshape online identity via the company's
now-cancelled CardSpace, and <a
href="http://www.theinquirer.net/inquirer/feature/1730563/microsofts-chief-privacy-officer">Brendon
Lynch</a>'s adoption of U-Prove, based on <a
href="http://www.theinquirer.net/inquirer/news/1035306/people-get-protected-from-big-brother-database-threats">Stefan
Brands</a>' technology. U-Prove is now <a
href="http://www.credentica.com">being piloted in various EU-wide
projects</a>. There are probably lots of other organizations that would
like to get in on such a scheme, if only because of the data and
linkages a federated system would grant them. Credit card companies, for
example. Some combination of mobile phone manufacturers, mobile network
operators, and telcos. Various medical outfits, perhaps.</p>

<p>An identity layer that gives fair and reasonable access to a variety
of players who jointly provide competition and consumer choice seems
like a reasonable goal. But it's not clear that this is what either the
UK's distastefully spelled "Midata" or the US's <a
href="http://www.nist.gov/nstic/">NSTIC</a> (which attracted <a
href="http://www.newswireless.net/index.cfm/article/8553">similar
concerns</a> when first announced, has in mind. What "federated
identity" sounds like is the convenience of "single sign-on", which is
great if you're working in a company and need to use dozens of legacy
systems. When you're talking about identity verification for every type
of transaction you do in your entire life, however, a single gateway is
a single point of failure and, as Stephan Engberg, founder of the Danish
company <a href="http://www.priway.com">Priway</a>, has often said, a
single point of control. It’s the Facebook cross-all-the-streams
approach, embedded everywhere. Engberg points to a <a
href="http://digitaliser.dk/resource/896495">discussion paper)</a>
inspired by two workshops he facilitated for the Danish National IT and
Telecom Agency (NITA) in late 2010 that covers many of these issues.</p>

<p>Engberg, who describes himself as a "purist" when it comes to
individual sovereignty, says the only valid privacy-protecting approach
is to ensure that each time you go online on each device you start a new
session that is completely isolated from all previous sessions and then
have the choice of sharing whatever information you want in the
transaction at hand. The EU's <a
href="http://sourceforge.net/projects/linksmart/">LinkSmart</a> project,
which Engberg was part of, created middleware to do precisely that. As
sensors and RFID chips spread along with IPv6, which can give each of
them its own IP address, linkages across all parts of our lives will
become easier and easier, he argues. </p>

<p>We've seen often enough that people will choose convenience over
complexity. What we don't know is what kind of technology will emerge to
help us in this case. The devil, as so often, will be in the <a
href="http://www.isc.org/store/logoware-clothing/isc-9-layer-osi-model-cotton-t-shirt">details</a>.</p>

<p><i>Wendy M. Grossman’s <a href="http://www.pelicancrossing.net">Web
site</a> has an extensive archive of her books, articles, and music, and
an <a href="http://www.pelicancrossing.net/nwcols.htm"> archive of all
the earlier columns in this series</a>. </i></p>

Share this article

Google+ Delicious Digg Facebook Google LinkedIn StumbleUpon Twitter Reddit Newsvine E-mail

Comments

Comments (1)

  1. JD:
    Nov 06, 2011 at 08:04 PM


    I know how to make nitroglycerine from household components, but there is no way I will ever contemplate doing so!

    Also with all this SNOOPING on the WWW, why on earth would I consider putting ANYTHING personally identifiable on it?

    https://twitter.com/#!/mattcutts/status/131425949597179904
    ---------------------------
    Googlebot keeps getting smarter. Now has the ability to execute AJAX/JS to index some dynamic comments

This thread has been closed from taking new comments.

By Wendy M Grossman on Nov 05, 2011

Featured Article

Schmidt Happens

Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.

ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views

People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.

ORG Events